How do I enable Sysplex-Wide Security Associations for IPv4?

In a sysplex environment, SWSA distributes IPSec Security Associations (SAs) to the target stacks of distributed DVIPAs.

To enable Sysplex Wide Security Associations (SWSA) for IPv4, do all of the following:

• specify IPCONFIG IPSECURITY in the TCP/IP profile

• specify the DVIPSEC parameter on the IPSEC statement in the TCP/IP profile

• SWSA also requires the use of a coupling facility structure with a name in the form EZBDVIPAvvtt, where vv is the 2-digit VTAM group ID suffix specified on the XCFGRPID start option, and tt is the TCP group ID suffix specified on the GLOBALCONFIG statement in the TCP/IP profile.

To reestablish the Security Associations of a DVIPA, the DVIPSEC option must be specified in the TCP/IP profile of both the stack that the DVIPA is being moved from and the stack detecting the movement. It is not necessary to add DVIPSEC to hosts that serve only as targets for sysplex distributor.

When a DVIPA is moved from one IP security stack in a sysplex to another IP security stack, and both stacks have the DVIPSEC option specified, an attempt is made to automatically reestablish Security Associations on the backup stack. The IKE daemon on the system that is assuming control of the DVIPA attempts to renegotiate new Security Associations to replace the ones that were on the system that previously owned the DVIPA. If these attempts fail due to configuration errors or connectivity errors, manual intervention might be required. Phase 1 Security Association or phase 2 Security Association negotiations that were in progress at the time of the DVIPA movement are lost. However, if these negotiations were for a refresh, a new negotiation is started in the process of assuming control of the DVIPA.

When a DVIPA is moved from one IP security stack in a sysplex to another IP security stack, and one or both stacks do not have the DVIPSEC option specified, the Security Associations that are associated with that DVIPA must be reestablished by issuing the ipsec command, on-demand activation, or by a peer initiation.

To verify that VTAM connected to an EZBDVIPA structure, verify that an IST1370I message is issued to the console whn VTAM connects.

To display whether the TCP/IP stack is configured for Sysplex-Wide Security Associations, issue the ipsec -f display command. The field in the header of the command display shows whether or not the DVIPSEC keyword has been coded in the TCP/IP profile.